Add a setting to allow anonymous access to individual gists while still RequireLogin everywhere else (#229)

* Add a setting to allow accessing individual gists without auth

This is a middle ground between the existing setting "Require Login",
which requires login to do anything at all, and having it off, which
shows a public list of gists and more generally allows discovering info
about the users/gists of the instance without login.

The idea of this setting is that it is "require login" for everything
except individual gists.

Fixes #228.


Co-authored-by: Thomas Miceli <tho.miceli@gmail.com>

internal/web/auth.go

@@ -442,3 +442,15 @@ func getAvatarUrlFromProvider(provider string, identifier string) string {
 	}
 	return ""
 }
+
+type ContextAuthInfo struct {
+	context echo.Context
+}
+
+func (auth ContextAuthInfo) RequireLogin() (bool, error) {
+	return getData(auth.context, "RequireLogin") == true, nil
+}
+
+func (auth ContextAuthInfo) AllowGistsWithoutLogin() (bool, error) {
+	return getData(auth.context, "AllowGistsWithoutLogin") == true, nil
+}

internal/web/git_http.go

@@ -19,6 +19,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
 	"github.com/rs/zerolog/log"
+	"github.com/thomiceli/opengist/internal/auth"
 	"github.com/thomiceli/opengist/internal/db"
 	"github.com/thomiceli/opengist/internal/git"
 	"github.com/thomiceli/opengist/internal/memdb"
@@ -70,12 +71,17 @@ func gitHttp(ctx echo.Context) error {
 
 			setData(ctx, "repositoryPath", repositoryPath)
 
+			allow, err := auth.ShouldAllowUnauthenticatedGistAccess(ContextAuthInfo{ctx}, true)
+			if err != nil {
+				panic("impossible")
+			}
+
 			// Shows basic auth if :
 			// - user wants to push the gist
 			// - user wants to clone/pull a private gist
 			// - gist is not found (obfuscation)
 			// - admin setting to require login is set to true
-			if isPull && gist.Private != db.PrivateVisibility && gist.ID != 0 && !getData(ctx, "RequireLogin").(bool) {
+			if isPull && gist.Private != db.PrivateVisibility && gist.ID != 0 && allow {
 				return route.handler(ctx)
 			}
 

internal/web/server.go

@@ -27,6 +27,7 @@ import (
 	"github.com/labstack/echo/v4/middleware"
 	"github.com/markbates/goth/gothic"
 	"github.com/rs/zerolog/log"
+	"github.com/thomiceli/opengist/internal/auth"
 	"github.com/thomiceli/opengist/internal/config"
 	"github.com/thomiceli/opengist/internal/db"
 	"github.com/thomiceli/opengist/internal/git"
@@ -309,7 +310,7 @@ func NewServer(isDev bool) *Server {
 
 		g3 := g1.Group("/:user/:gistname")
 		{
-			g3.Use(checkRequireLogin, gistInit)
+			g3.Use(makeCheckRequireLogin(true), gistInit)
 			g3.GET("", gistIndex)
 			g3.GET("/rev/:revision", gistIndex)
 			g3.GET("/revisions", revisions)
@@ -321,9 +322,9 @@ func NewServer(isDev bool) *Server {
 			g3.GET("/edit", edit, logged, writePermission)
 			g3.POST("/edit", processCreate, logged, writePermission)
 			g3.POST("/like", like, logged)
-			g3.GET("/likes", likes)
+			g3.GET("/likes", likes, checkRequireLogin)
 			g3.POST("/fork", fork, logged)
-			g3.GET("/forks", forks)
+			g3.GET("/forks", forks, checkRequireLogin)
 			g3.PUT("/checkbox", checkbox, logged, writePermission)
 		}
 	}
@@ -516,21 +517,31 @@ func logged(next echo.HandlerFunc) echo.HandlerFunc {
 	}
 }
 
-func checkRequireLogin(next echo.HandlerFunc) echo.HandlerFunc {
-	return func(ctx echo.Context) error {
-		if user := getUserLogged(ctx); user != nil {
+func makeCheckRequireLogin(isSingleGistAccess bool) echo.MiddlewareFunc {
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(ctx echo.Context) error {
+			if user := getUserLogged(ctx); user != nil {
+				return next(ctx)
+			}
+
+			allow, err := auth.ShouldAllowUnauthenticatedGistAccess(ContextAuthInfo{ctx}, isSingleGistAccess)
+			if err != nil {
+				panic("impossible")
+			}
+
+			if !allow {
+				addFlash(ctx, tr(ctx, "flash.auth.must-be-logged-in"), "error")
+				return redirect(ctx, "/login")
+			}
 			return next(ctx)
 		}
-
-		require := getData(ctx, "RequireLogin")
-		if require == true {
-			addFlash(ctx, tr(ctx, "flash.auth.must-be-logged-in"), "error")
-			return redirect(ctx, "/login")
-		}
-		return next(ctx)
 	}
 }
 
+func checkRequireLogin(next echo.HandlerFunc) echo.HandlerFunc {
+	return makeCheckRequireLogin(false)(next)
+}
+
 func noRouteFound(echo.Context) error {
 	return notFound("Page not found")
 }

internal/web/test/auth_test.go

@@ -89,3 +89,61 @@ func login(t *testing.T, s *testServer, user db.UserDTO) {
 	err := s.request("POST", "/login", user, 302)
 	require.NoError(t, err)
 }
+
+type settingSet struct {
+	key   string `form:"key"`
+	value string `form:"value"`
+}
+
+func TestAnonymous(t *testing.T) {
+	setup(t)
+	s, err := newTestServer()
+	require.NoError(t, err, "Failed to create test server")
+	defer teardown(t, s)
+
+	user := db.UserDTO{Username: "thomas", Password: "azeaze"}
+	register(t, s, user)
+
+	err = s.request("PUT", "/admin-panel/set-config", settingSet{"require-login", "1"}, 200)
+	require.NoError(t, err)
+
+	gist1 := db.GistDTO{
+		Title:       "gist1",
+		Description: "my first gist",
+		VisibilityDTO: db.VisibilityDTO{
+			Private: 0,
+		},
+		Name:    []string{"gist1.txt", "gist2.txt", "gist3.txt"},
+		Content: []string{"yeah", "yeah\ncool", "yeah\ncool gist actually"},
+	}
+	err = s.request("POST", "/", gist1, 302)
+	require.NoError(t, err)
+
+	gist1db, err := db.GetGistByID("1")
+	require.NoError(t, err)
+
+	err = s.request("GET", "/all", nil, 200)
+	require.NoError(t, err)
+
+	cookie := s.sessionCookie
+	s.sessionCookie = ""
+
+	err = s.request("GET", "/all", nil, 302)
+	require.NoError(t, err)
+
+	// Should redirect to login if RequireLogin
+	err = s.request("GET", "/"+gist1db.User.Username+"/"+gist1db.Uuid, nil, 302)
+	require.NoError(t, err)
+
+	s.sessionCookie = cookie
+
+	err = s.request("PUT", "/admin-panel/set-config", settingSet{"allow-gists-without-login", "1"}, 200)
+	require.NoError(t, err)
+
+	s.sessionCookie = ""
+
+	// Should return results
+	err = s.request("GET", "/"+gist1db.User.Username+"/"+gist1db.Uuid, nil, 200)
+	require.NoError(t, err)
+
+}